Overview

overview

10

Static

static

7

SpySheriff.zip

windows7-x64

1

SpySheriff.zip

windows10-2004-x64

1

IESecurity.dll

windows7-x64

6

IESecurity.dll

windows10-2004-x64

6

ProcMon.dll

windows7-x64

1

ProcMon.dll

windows10-2004-x64

1

ReadME.txt

windows7-x64

1

ReadME.txt

windows10-2004-x64

1

SpySheriff.dvm

windows7-x64

3

SpySheriff.dvm

windows10-2004-x64

3

SpySheriff.exe

windows7-x64

7

SpySheriff.exe

windows10-2004-x64

8

Uninstall.exe

windows7-x64

1

Uninstall.exe

windows10-2004-x64

1

base.avd

windows7-x64

3

base.avd

windows10-2004-x64

3

base001.avd

windows7-x64

3

base001.avd

windows10-2004-x64

3

base002.avd

windows7-x64

3

base002.avd

windows10-2004-x64

3

found.wav

windows7-x64

1

found.wav

windows10-2004-x64

6

heur000.dll

windows7-x64

1

heur000.dll

windows10-2004-x64

1

heur001.dll

windows7-x64

1

heur001.dll

windows10-2004-x64

1

heur002.dll

windows7-x64

4

heur002.dll

windows10-2004-x64

4

heur003.dll

windows7-x64

10

heur003.dll

windows10-2004-x64

10

notfound.wav

windows7-x64

1

notfound.wav

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SpySheriff.zip

  • Size

    1.3MB

  • Sample

    240423-rttayaha6s

  • MD5

    5ec70a62b7fa20507ab4b70c3389bb37

  • SHA1

    68ee641337d66b3d6c31dd7f0729afbf2bbdc069

  • SHA256

    d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d

  • SHA512

    0a11577e6ca68124741cf9d3f9357839cd28e83b60a074b06065a962102c14401ecd7035042b9197263ca42626b14e18356d4d413fb2217f52cfe93009cb56e8

  • SSDEEP

    24576:VNgDMZ96GXyY03689pDhw0Ifxpa+7FLzMrn7a7gIWAxZjD9YenhEdNxA1P:7c05yY2vDhAraskS7p/NY2KA1P

Score
10/10
adwareaspackv2discoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      SpySheriff.zip

    • Size

      1.3MB

    • MD5

      5ec70a62b7fa20507ab4b70c3389bb37

    • SHA1

      68ee641337d66b3d6c31dd7f0729afbf2bbdc069

    • SHA256

      d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d

    • SHA512

      0a11577e6ca68124741cf9d3f9357839cd28e83b60a074b06065a962102c14401ecd7035042b9197263ca42626b14e18356d4d413fb2217f52cfe93009cb56e8

    • SSDEEP

      24576:VNgDMZ96GXyY03689pDhw0Ifxpa+7FLzMrn7a7gIWAxZjD9YenhEdNxA1P:7c05yY2vDhAraskS7p/NY2KA1P

    Score
    1/10
    behavioral1behavioral2

    • Target

      IESecurity.dll

    • Size

      41KB

    • MD5

      04ea7f07722c9c03cf932876a841183a

    • SHA1

      cfb77d3970be7037dcdd887e862d7bbbf4855640

    • SHA256

      f407f96d71d6fa7597ce85abb9ba4bdd95d02fe7f2ef46f0c343a4a0d6115c0d

    • SHA512

      bc70b4a7fc5cf8a6edc01a53e8a0c216ea3c7c81daa6020b35326dfe2db28d1851b7d558e023af2295aa58ab10285ba016aea9fe950f9bbc3a3722f3ae5beea9

    • SSDEEP

      768:VgTrL1xJddyW9QtPW1pVHkmTHzHtCo9vQDbUGTO:VS/JGUQtPWhEmTHzHAo1QDbUGTO

    Score
    6/10
    adwarestealer

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral3behavioral4

    • Target

      ProcMon.dll

    • Size

      32KB

    • MD5

      894745b78819bfe885a068b5412dd192

    • SHA1

      75d24b9c7bee65f2b088f58f4e422c744f7eeeba

    • SHA256

      acb1ceb5a01227cb6506c30c5693387441be1c3af0e69eae3d07092075c995a8

    • SHA512

      3a8f311dad8abeb772531779592df96a18d1e5cfd643692e3b2485f5fbf381f91406ab12e121e8bdb2867b1a7d5b59a86e5e73e34d3a0ef792069fdac2a30a12

    • SSDEEP

      384:vQHejeETXLLxJ507mlvZysfqy7XJxo99p4jB+k/:TjeETXvR0WRi8XJxo99p4jB+

    Score
    1/10
    behavioral5behavioral6

    • Target

      ReadME.txt

    • Size

      438B

    • MD5

      31815edae18113dd40e47953fbd86a5c

    • SHA1

      179e36a58b1d3d9a212d6385d9adac39950b9577

    • SHA256

      435ee366a17ea1a2c29473928f77a6ce9c7e0745c57982afdc3629240f58ea87

    • SHA512

      e9565fea21206a89e3dd5ea23684cfe60aa6921fefb57c6100a44335e777fbfabb7616ccdaefa441045e02ce8cf3e54b9edca98590641b844a7c5f1fa75ad336

    Score
    1/10
    behavioral7behavioral8

    • Target

      SpySheriff.dvm

    • Size

      100B

    • MD5

      4a656c63897ca241f5b162b885510c82

    • SHA1

      63b6590ee77ca9f52570d79fda2c6043d3dc112b

    • SHA256

      e36b521029b99d1698724aa08c817d15382a27a81a7c736c12145364e2e94432

    • SHA512

      a7001315e46f0478731e8f42f02ec25fa84f5e332477fb1517dd4a7fec1bd53ec15f9c177e280a9c513815f9496e94bd1674e504260d200b54cdeee4756e4f31

    Score
    3/10
    behavioral10behavioral9

    • Target

      SpySheriff.exe

    • Size

      403KB

    • MD5

      c899f93e8b753fedd068ef3fe2edb0fd

    • SHA1

      144b1f18d0e307d14937c21ca1d7cbfc91828a10

    • SHA256

      5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47

    • SHA512

      1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b

    • SSDEEP

      12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD

    Score
    8/10
    discoveryevasionpersistencespywarestealertrojan

    • Modifies RDP port number used by Windows

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral11behavioral12

    • Target

      Uninstall.exe

    • Size

      36KB

    • MD5

      a846e764e1b11edda7b233eed37b60f3

    • SHA1

      7c072ff57e369705cd64801c87c3618951890f53

    • SHA256

      af0d7f1a4388da8050f3d3612513f5e0e190f783179502dc7fd099e1b3db8015

    • SHA512

      b6363ccbe1bf2c9bfdcaa1afc6a9cbe22886abc32107c94dbcd74bd8de4146a466bc2d0bfeb1db1b5f036462cd31653f73e6273ed39ac4bd82a16e1f4c1621b9

    • SSDEEP

      384:4l1fU0XdOGml1ZWyyRnBnZWOh6ohsEeR0B958XCq4:AxdZys9Nh6oC0z55z

    Score
    1/10
    behavioral13behavioral14

    • Target

      base.avd

    • Size

      401KB

    • MD5

      5ce1bb147548e1424ee4794a03ffb252

    • SHA1

      a47a088e3fbdf7c3885e7f4b30af24f51f495e64

    • SHA256

      6a20b1d7772edda460ff20333983eee22df3c6090c0128027e44692b623c6b14

    • SHA512

      3f62a70074a238b4aa8a3f980ffa88414e6aa4cea2cbad4646a3581e99827c0156a1dc45232efe7f0642745d5ce1204c5c5569694788cce0cb2f6fdac24cfdc7

    • SSDEEP

      12288:DBdq3/2agl3HgBzXOvOacnFp0wNl4MQpM1OeKAM0:TkuZyXOvyowUOOeLM0

    Score
    3/10
    behavioral15behavioral16

    • Target

      base001.avd

    • Size

      268B

    • MD5

      275c9b3d643f138225d0982245f54f9b

    • SHA1

      a201aa1b25f0236630f190b1f088cad1a7aa2105

    • SHA256

      31b2a7ba93c459ef724e664505240ec8c0dfb495045ca3dda1094ab50f47d2ed

    • SHA512

      9c28ddc3cd080a9ab9a0a0a0bffd38fdea4e76ec2844b909a96db52824714f6b753a4d8fb55d10319cff348b59950812471f77694e90cb234593b5e09b9beba6

    Score
    3/10
    behavioral17behavioral18

    • Target

      base002.avd

    • Size

      15KB

    • MD5

      0c81faaf2e8a8668734e159e31367059

    • SHA1

      7a8f9f679c25de849b7185de7e5302bdeedea55b

    • SHA256

      5d68981bf1c14119b05b57a59ec918566c71e11da24a5b425e1d00a0324e9f95

    • SHA512

      e59c03c4f70e3dbf0a043a1f9cac8f680738fd4b68527bf2be3070ed95429b460608f47c4261ab9672d9f0ee94edc42bae921370f3427a4e4870ac938b705e86

    • SSDEEP

      384:2GroxvfRKLZy6XxbV1pj071IzRqMx14pPtbeQVRNWONm+R:xGvp8xbvpASqE1eRM70

    Score
    3/10
    behavioral19behavioral20

    • Target

      found.wav

    • Size

      7KB

    • MD5

      3faef40d30921bd14fc16d8df716b930

    • SHA1

      88bff644c535012d4a0f306f5ab06b8e835086bd

    • SHA256

      7651066d2eca622e832125f0766d0aa7aecc6ff2fa72f07354f20abeb2b99208

    • SHA512

      7707e436b620ccb3acc733b101860dcf8315fd0687397e61f4e5957458b09ebab8bc85b25243eb54392c2be7e109cb53cc0952602381398efec68499039cfd08

    • SSDEEP

      192:jwwBnVSn6gGGywj1yhvdKgucgRk7KuhmKaV:jwwfpcj1yq/cdmuhmKaV

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral21behavioral22

    • Target

      heur000.dll

    • Size

      124KB

    • MD5

      ca4822789da674e2ae4658ee4250adb5

    • SHA1

      58c3f3f15781cd775ce485f5c4d392b31bdbbe10

    • SHA256

      16e8d6dc3e1c3562f8f7e98d492c152965fc08d7cc57e3846e35de11af49092e

    • SHA512

      7022c63c100acc1cd2083f051ce37baa8a8e1dd1fad7c76e0ff90e05fc1c59356f9e2ae09402ca4f91bafece0c9ee52af804c52f05e6453d42bf3816542a61d7

    • SSDEEP

      3072:prQm5MC1bRoAwOSxoPMVsf0nQla8vxgs2N+r3rk:Km53RRgPvSCsDr3r

    Score
    1/10
    behavioral23behavioral24

    • Target

      heur001.dll

    • Size

      124KB

    • MD5

      840c8e9d2aaccc87d6dad1d409e45a10

    • SHA1

      41be046bf69a7a5bbf27b224554f42d81f5c9c47

    • SHA256

      68fe6616070f5d5d20b12ff020a6197ae93a93ae06d24bf6e872cc35862f758f

    • SHA512

      ed9bf5b7252e26035e1c5779f7f4a065315970e206dc23463cc7dec07a0e890e0757c757a6ff4d910cff639b911b54b20acd488a2190dcc4ee29628b39eb4012

    • SSDEEP

      3072:WPJLnHOfXoAwOSxoPMVsf0nQla8vxgs2N+r3r+f:WPeRgPvSCsDr3r+f

    Score
    1/10
    behavioral25behavioral26

    • Target

      heur002.dll

    • Size

      117KB

    • MD5

      ee21fd7fa9a45453ed55ccb7ce7b9aaa

    • SHA1

      335d0f3bad37dfc77cafa85b2f56c27688e64e7d

    • SHA256

      1f6a5cd4ec1e361925b80b7b4f18b77ff70f0d27d5f6bc043f605363f1f2ef05

    • SHA512

      d8c244c3f188a9a348cf32f1982fe4a7ff7c5a21e45ef8a5a69033b7287fd1b83bf83de2659f9cdcd516e4bef17d84cec2f0a0abcb59108127f2c2ab771f865d

    • SSDEEP

      3072:p0WzeOMDsoAwOSxoPMVsf0nQla8vxgs2N+r3rYF:uWq/DsRgPvSCsDr3r

    Score
    4/10
    behavioral27behavioral28

    • Target

      heur003.dll

    • Size

      118KB

    • MD5

      bb06f2c0d34812d455aecc790aab74d4

    • SHA1

      b206b3f29a3823ac4dad859c13e32dfa1f5f92f0

    • SHA256

      45f6c21d358f56679acb89adeda25e296ab0eb5518eda33a175a1e22cfd71e19

    • SHA512

      f5a4d616fa5e55072c360101216fee9a43c26572910d68ad2b7b68e8fbd3ad0f68aeaa84ffc6bbcbfb8c32e2e82eb2a6f0f5b51d33e640e70c4fd495222042ad

    • SSDEEP

      3072:+CL0FKkhYyoAwOSxoPMVsf0nQla8vxgs2N+r3rWM:+4Q9/RgPvSCsDr3r

    Score
    10/10
    persistence
    behavioral29behavioral30

    • Target

      notfound.wav

    • Size

      20KB

    • MD5

      b6db2d81423853ca8e82bd42e04e9ab2

    • SHA1

      cfe0832bd5b107c94a54dc3c64df930462955dcf

    • SHA256

      05c118e5a69fb0603c4e4d6357d3b92e3aca6e93883955eb9ec08110edc65fd5

    • SHA512

      56ab7ad06fa0e55f44674279e9957cb96b13b090c0a61dd613c062654c37da2bff3dcf4a7d765db313de7fa19bb859794d3c06dfdadca23e45acf7c5c5fa6c19

    • SSDEEP

      384:fWkYjsRliyvEwE5KDNYRcxHw6m6PV7WnG2q5FN2Kli+C:fuj04yvEwEM6Rcxjt4Bm0

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

1
T1176

Event Triggered Execution

2
T1546

Change Default File Association

2
T1546.001

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

2
T1546.001

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

7
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

12
T1082

Query Registry

7
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

aspackv2
Score
7/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

adwarestealer
Score
6/10

behavioral4

adwarestealer
Score
6/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

discoveryevasionpersistencespywarestealertrojan
Score
7/10

behavioral12

discoveryevasionpersistencespywarestealertrojan
Score
8/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

Score
3/10

behavioral18

Score
3/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

Score
1/10

behavioral22

Score
6/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
4/10

behavioral28

Score
4/10

behavioral29

persistence
Score
10/10

behavioral30

persistence
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
6/10